The Starbucks mobile app, the most used mobile-payment app in the U.S., has been storing usernames, email addresses and passwords in clear text, Starbucks executives confirmed late on Tuesday (Jan. 14). The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.

Starbucks told Computerworld that it has “adequate security measures in place” and that usernames and passwords are safe because it added “extra layers of security.”

Unless you drop off the grid, it’s hard to avoid creating and typing in passwords on a daily basis.

A big risk with passwords stored in plain text: Some people use the same password for different services, like banking websites and store apps and more. If a ne’er-do-well managed to get a hold of someone’s commonly used password — in the Starbucks case it isn’t easy, but not impossible — they could theoretically use it as a skeleton.